Overview

overview

10

Static

static

3

ec61dbd2c4...6b.exe

windows7-x64

10

ec61dbd2c4...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2025, 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec61dbd2c4cb2fe849dbc1f015ccd5590e985eb9749a2c64ffc7728d94f66d6b.exe

  • Size

    240KB

  • MD5

    2538b52d65bf2c4ba03cd8a44a423a48

  • SHA1

    1825c5ebec68177928ee326f38c36be2bb8a5b95

  • SHA256

    ec61dbd2c4cb2fe849dbc1f015ccd5590e985eb9749a2c64ffc7728d94f66d6b

  • SHA512

    97a46ec0bf19a02d79b5694fe835ad78f53af3b3e1a1d44491dc9dbfe73244618d156f0dfdacf219d83a14bbb97491228fc7acf82691af283ed366a9d29408fa

  • SSDEEP

    6144:/v/aTfyzleL+RYuArtKnq3kPDmVLmQpHQOmsW:3/aepe+YuQtKnq3kPDmVLm6wOFW

Score
10/10
gozi3503bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214098

Extracted

Family

gozi

Botnet

3503

C2

google.com

gmail.com

dbxmalachi.com

slowellalden.com

vkeenan86oo.com
Attributes
  • build

    214098

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec61dbd2c4cb2fe849dbc1f015ccd5590e985eb9749a2c64ffc7728d94f66d6b.exe
    "C:\Users\Admin\AppData\Local\Temp\ec61dbd2c4cb2fe849dbc1f015ccd5590e985eb9749a2c64ffc7728d94f66d6b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2508
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2676
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:930821 /prefetch:2
      2⤵
        PID:3036
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1920
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2760
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      09e9980f6cf95e6461df93e8895f8a21

      SHA1

      0b5cfa0dfc929b815c1170e6837cc54fb1185145

      SHA256

      063398f32071e58fcee7c9164cf7395ba176f3cecaf7555dbc8447117c1f2266

      SHA512

      4cae9e304f3c8058944c87825ed78ffa18633dee06f654a5726c75a1bf5afec7a6e9301710a44807843e860cb89fedcd14df736151581698edaff0d0bdfe0ca4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      facc8ef002aa05f4885f406eb4c6a639

      SHA1

      0c4a6c21a099c8ea5583b35230bb16de68fc66ab

      SHA256

      6175a673333967666a9b8cb51d956b650cac804f5f3f8d7209b0c1fc2fd0b717

      SHA512

      29aef0107299886633f48c97ebe4e000482bf171ba747eaa973dda79912fc16f3ccc8d777e8d780523ffed75e0cc30593a0e94e2b798119ce0de3664c2e4c878

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      58a6982d335d2be08f402cf16776951c

      SHA1

      b39dc5a3a67b8feef9d92a96933dc82a1d25b5f8

      SHA256

      303d9aa2fd32de950472e92b0884196f3df7c208ac8f62d7a211ba99af76b953

      SHA512

      ad8c0d922675f1d6ac586bf29b1b877cb6ab5bec8a7dec995bb5df81c1a142a972d95f6320821cd4f4132131a2854bd6288432a6205a867074f36ca1e3177b3e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      df008b6bc982728352630587f32c9c35

      SHA1

      65c0d32290443d72941b995a079e5b2cfacbcb23

      SHA256

      dffeb7a9f53e3ca7ac91593b1c131308544b263ab1ddd05384d3d2fb862d69a5

      SHA512

      fede9406b0e19dd6908207f91469731c5ce10ca68ee1f4b29e923f5023edd926627ca65ba6744e1cc1bd06b74f1eba54d6219d85186b894a43fcdc19129147cd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      7666c0334f3040f8efc79e1e4500e746

      SHA1

      4d0b2e215e4e42ae7fd68329745e827bd7f7dc1a

      SHA256

      e8b4d0fa95979e0dd46e31c89f613e7ec1ab4bbad167121fd3a78b0c3e67b357

      SHA512

      3781bd1fabffe4b643b978633505715f4ec232f0b4904591005b89fad1c0ca69a9cf14d852891d51db0c66a5f948d98314e269bdc72a8c79edddd0c84612cad7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3ec8aedd849519f0d8a2b518fa554d92

      SHA1

      c71a6df9e1a6e36d6569e26a3d65e505cd566302

      SHA256

      e268f0b3bc61e2f1c08c2251c10bd5f651efa86ce54d6e171abfafae6b432710

      SHA512

      b78cb2ed53e7ce018654aa91fda427385d331563226a3241fff26db093d7325a3a16de8e5651bfc53149ed92f96cfeb08a54841a426298ea4af0d0fed2c4a920

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b2e10f4ba5621829d7b8cb26260ffdaa

      SHA1

      fe3f1955433454b4dec2f5e23c3c8035c78098a5

      SHA256

      a0f8e2d28469eadc943dec986e56f77672222ae75b55d2dfccfd68f31d15fad0

      SHA512

      3a7d169b9f16b629fab1fb6e6246ce9e015d855aa6c1448582edb334341cd49dbfcf9e66bf8cc7027e4d1623057232949ee21c9ecf44d66b7a9cd2fdd46b0361

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      de1e7bcd30c7eead9ad7ffc199210010

      SHA1

      3989b3bfef40950bff2bc22ebbf7a3d48974ca69

      SHA256

      310af16008eaea5e2c2bfa5a3fdd6ddf3cd048b084d018ab5a5e322058f74f75

      SHA512

      6a957f639a5a931597a692d61ca75305ae305d0e364ff45b52b95e6685771a9495710bd58528aed5abec347003fb651a68e6390644d2b75947f72ad0d88470a6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1dce99cfeaf0391034ec223741977d0b

      SHA1

      02c2768dc5447fe7830eb10490e8b98bb53f7455

      SHA256

      47232243ead7411fca9c9174225826fbaa7344aaf63929af62f4fd7aaf39d54b

      SHA512

      2af6b945e7da7dc049a1cbe70cab5b62368907d2ee180ae702b559a9bd1b41b43c8d310bde2c4b12073e99d33d6441999f7cc15f187941500d5a59a24971ed95

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab5563.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar5612.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFC84E2D237CE9A8BA.TMP
      Filesize

      16KB

      MD5

      6e8bb6bc0edd3ff4ee8f6acf149f8b2d

      SHA1

      81feca81fc5d03d4d573360a9d69f0ef40a1e01a

      SHA256

      807197ad2daa21263d99c77fa6d5a9da52308d1c2f4e1aa8dba0cda43f8fca3b

      SHA512

      f402af3bf49a9ea931430a62e27a4f21119ac24f67f7ad8304cff95fef7122b94d9e4311886a8f8c21696f4ecade73bbb65064bbdb862db03bc507a6a6b579eb

      Download Submit

    • memory/2508-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-10-0x00000000001B0000-0x00000000001B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2508-9-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2508-2-0x0000000000100000-0x000000000010F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2508-1-0x0000000000970000-0x00000000009C4000-memory.dmp

      Filesize

      336KB

      Download